Plan Group Policy for Office 2013

 

Applies to: Office 2013, Office 365 ProPlus

Summary: Plan for using Group Policy to manage Office 2013.

Audience: IT Professionals

This article will help IT administrators who plan to manage Microsoft Office 2013 applications by using Group Policy. To be successful, they must understand their business requirements, security, network, and IT requirements, and their current Office application management practices.

  • Planning for Group Policy

  • Defining business objectives and security requirements

  • Evaluating your current environment

  • Designing managed configurations based on business and security requirements

  • Determining the scope of application

  • Testing and staging Group Policy deployments

  • Involving key stakeholders

Planning for Group Policy

Group Policy enables IT administrators to apply configurations or policy settings to users and computers in an Active Directory directory service (AD DS)_environment. Configurations can be made specifically to Office 2013. For more information, see Overview of Group Policy for Office 2013.

Planning for the deployment of Group Policy-based solutions includes several steps:

  1. Define your business objectives and security requirements.

  2. Evaluate your current environment.

  3. Design managed configurations based on your business and security requirements.

  4. Determine the scope of application of your solution.

  5. Plan for testing, staging, and deploying your Group Policy solution.

  6. Involve key stakeholders in planning and deploying the solution.

Defining business objectives and security requirements

Identify your specific business and security requirements and determine how Group Policy can help you manage standard configurations for the Office 2013 applications. Identify the resources (groups of users and computers) for which you are managing Office settings by using Group Policy and define the scope of your project.

Evaluating your current environment

Examine how you currently perform management tasks that are related to configurations for Office applications. This will help you to determine which kinds of Office policy settings to use. Document the current practices and requirements. You will use this information to help you design managed configurations in the next step. Include the following items:

  • Existing corporate security policies and other security requirements. Identify the locations and publishers that are considered secure. Evaluate your requirements for managing Internet Explorer feature control settings, document protection, privacy options, and blocking file format settings.

  • Messaging requirements for the organization. Evaluate requirements for configuring user interface settings, virus-prevention, and other security settings for Outlook 2013 by using Group Policy. For example, Group Policy provides settings for limiting the size of .pst files, which can improve performance on the workstation.

  • User requirements for Office applications for the various kinds of user roles. This depends largely on users' job requirements and the organization's security requirements.

  • Default file save options to use for Access 2013, Excel 2013, PowerPoint 2013, and Word 2013.

  • Access restrictions to set for Office 2013 user interface items. For example, include disabling commands, menu items, and keyboard shortcuts.

  • Software installation issues, if you are considering this deployment method. Although Group Policy can be used to install software applications in small-sized organizations that have Active Directory installed, there are some limitations, and you must determine whether it is an appropriate solution for your deployment requirements. For more information, see "Identifying issues pertaining to software installation" in Group Policy Planning and Deployment Guide.

    If you manage lots of clients in a complex or fast changing environment, Microsoft System Center 2012 Configuration Manager is the recommended method for installing and maintaining Office 2013 in medium- and large-sized organizations. System Center 2012 Configuration Manager offers additional functionality, such as inventory, scheduling, and reporting features.

    Another option for deployment of Office 2013 in Active Directory environments is to use Group Policy computer startup scripts.

  • The choice between Group Policy and the OCT. Although both Group Policy and the OCT can be used to customize user configurations for the Office 2013 applications, there are important differences:

    • Group Policy is used to configure Office 2013 policy settings that are contained in Administrative Templates. The operating system enforces those policy settings. These settings have system access control list (SACL) restrictions that prevent non-administrator users from changing them. Use Group Policy for configuring settings that you want to enforce.

    • The OCT is used to create a Setup customization file (.msp file). Administrators can use the OCT to customize features and configure user settings. Users can change most of the settings after the installation. We recommend that you use the OCT for preferred or default settings only. For more information about the OCT, see Office Customization Tool (OCT) reference for Office 2013.

  • The decision about whether to use local Group Policy to configure Office settings. You can use local Group Policy to control settings in environments that include stand-alone computers that are not part of an Active Directory domain. For more information, seeOverview of Group Policy for Office 2013.

Designing managed configurations based on business and security requirements

Understanding your business requirements, security, network, IT requirements, and your organization's current Office application management practices helps you identify appropriate policy settings for managing the Office applications for users in your organization. The information that you collect during the evaluation of your current environment setup helps you design your Group Policy objectives.

When you define your objectives for using Group Policy to manage configurations for Office applications, determine the following:

  • The purpose of each Group Policy object (GPO).

  • The owner of each GPO — the person who is responsible for managing the GPO.

  • The number of GPOs to use. Keep in mind that the number of GPOs that are applied to a computer affects startup time, and the number of GPOs applied to a user affects the time that is needed to log on to the network. The greater the number of GPOs that are linked to a user, especially the greater the number of settings within those GPOs, the longer it takes to process the GPOs when a user logs on. During the logon process, each GPO from the user’s site, domain, and organizational unit (OU) hierarchy is applied, provided both the Read and Apply Group Policy permissions are set for the user.

  • The appropriate Active Directory container to which to link each GPO (site, domain, or OU).

  • The location of Office applications to install, if you are deploying the Office 2013 with Group Policy Software Installation.

  • The location of computer startup scripts to run, if you are deploying Office 2013 by assigning Group Policy computer startup scripts.

  • The kinds of policy settings that are contained in each GPO. This depends on your business and security requirements and how you currently manage settings for Office applications. We recommend that you configure only settings that are considered extremely important for stability and security and that you keep configurations to a minimum. Also consider using policy settings that can improve performance on the workstation, such as controlling Outlook .pst file size, for example.

  • Whether to set exceptions to the default processing order for Group Policy.

  • Whether to set filtering options for Group Policy to target specific users and computers.

To help you plan for ongoing administration of GPOs, we recommend that you establish administrative procedures to track and manage GPOs. This helps make sure that that all changes are implemented in a prescribed manner.

Determining the scope of application

Identify Office 2013 policy settings that apply to all corporate users (such as any application security settings that are considered extremely important to the security of your organization) and those that are appropriate for groups of users, based on their roles. Plan your configurations according to the requirements that you identify.

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or OUs. Most GPOs are typically assigned at the organizational unit level. Therefore, make sure that your OU structure supports your Group Policy-based management strategy for Office 2013. You might also apply some Group Policy settings at the domain level, such as security-related policy settings or Outlook settings that you want to apply to all users in the domain.

Testing and staging Group Policy deployments

Planning for testing and staging is an important part of any Group Policy deployment process. This step includes creating standard Group Policy configurations for Office 2013 applications and testing the GPO configurations in a non-production environment before you deploy Office to users in the organization. If necessary, you can filter the scope of application of GPOs and define exceptions to Group Policy inheritance. Administrators can use Group Policy Modeling (in Group Policy Management Console) to evaluate which policy settings would be applied by a specific GPO, and Group Policy Results (in Group Policy Management Console) to evaluate which policy settings are in effect.

Group Policy provides the ability to affect configurations across hundreds and even thousands of computers in an organization. Consequently, it is very important that you use a change management process and rigorously test all new Group Policy configurations or deployments in a non-production environment before you move them into your production environment. This process makes sure that the policy settings that are contained in a GPO produce the expected results for the intended users and computers in Active Directory environments.

As a best practice for managing Group Policy implementations, we recommend that you stage Group Policy deployments by using the following pre-deployment process:

  • Deploy new GPOs in a test environment that reflects the production environment as closely as possible.

  • Use Group Policy Modeling to evaluate how a new GPO will affect users and interoperate with existing GPOs.

  • Use Group Policy Results to evaluate which GPO settings are applied in the test environment.

For more information, see “Using Group Policy Modeling and Group Policy Results to evaluate Group Policy settings” in the Group Policy Planning and Deployment Guide.

Involving key stakeholders

Group Policy deployments in enterprises are likely to have cross-functional boundaries. As part of preparing for your deployment, it is important to talk to key stakeholders from the various functional teams in your organization and make sure that they participate during the analysis, design, test, and implementation phases, as appropriate.

Make sure that you conduct reviews of the policy settings that you plan to deploy for managing the Office 2013 applications together with your organization's security and IT operations teams to make sure that that the configurations suit the organization and that you apply a set of policy settings that are as strict as necessary to protect the network resources.

See also

Group Policy Administrative Template files (ADMX, ADML) and Office Customization Tool (OCT) files for Office 2013